[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control



I'm trying to set up access controls for the server. Here are the rules
I am trying to impliment

olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
by self write by * none
olcAccess: {1}to
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
olcAccess: {2}to
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by
group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read
olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by
group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by
group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
olcAccess: {6}to * by users read by * none
-

Basically I have groups, and within those groups I have  Contact lists
and administrators. I want the administrator to have write access, other
members to have read access, and non members to have none.

This rule is what I think should work for that:

dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none


I know this rule works for individual user contact lists:

dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none


I think the problem I am running into is having the <who> field as

group.exact,expand

Can I not do this? If not, is there any way to acheive the same result?

thanks,
darryl